1- windows域服务器信息
OS: windows 2016 datacenter
IP: 10.0.0.1
DNS: 10.0.0.1
域控制器地址: leman.cn
域管理员: admin ( 或者Administrator) 密码: Password@1
域用户/密码:
- c101/Password@1
- c102/Password@2
- u101/Password@1
- u102/Password@2
域服务默认端口: 3268 和 389
2- 加入AD并使用域用户ssh登录[ 使用realm方式]
2.1- 安装必须软件包
CentOS7:
yum install -y realmd sssd adcli oddjob oddjob-mkhomedir sambasamba-common-tools
Ubuntu18:
apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit -y
SSSD是红帽企业版Linux6中新加入的一个守护进程,该进程可以用来访问多种验证服务器,如LDAP,Kerberos等,并提供授权。
2.2- 发现域控制器
realm discover-v leman.cn
2.3- 加入域控服务器
hostname centos-1 # 不可用localhost
realm join leman.cn -U admin #没有-U参数,默认使用Adminstrator用户
2.4- 检查加入结果
[root@centos-1 ~]# realm list
leman.cn
type: kerberos
realm-name: LEMAN.CN
domain-name: leman.cn
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
2.5- 用户不需要用域名登陆
[root@centos-1 ~]# cat /etc/sssd/sssd.conf -n
1
2 [sssd]
3 domains = leman.cn
4 config_file_version = 2
5 services = nss, pam
6
7 [domain/leman.cn]
8 ad_domain = leman.cn
9 krb5_realm = LEMAN.CN
10 realmd_tags = manages-system joined-with-samba
11 cache_credentials = True
12 id_provider = ad
13 krb5_store_password_if_offline = True
14 default_shell = /bin/bash
15 ldap_id_mapping = True
16 use_fully_qualified_names = False #True改成False
17 fallback_homedir = /home/%u #家目录 默认是/home/%u@%d,表示用户名加域名
18 access_provider = ad
[root@centos-1 ~]#
2.6- 重启sssd服务 [[ 完成 ]]
systemctl restart sssd
2.7- 查询Windows域账户信息
[root@centos-1 ~]# id [email protected]
uid=1037201105(admin) gid=1037200513(domain users) groups=1037200513(domain users)
3- 故障解决
3.1- 解决Home目录创建问题
(或者登录时闪退,根本问题是Home目录创建)
vim /etc/pam.d/common-session
在(session required pam_unix.so)下一行添加下面内容
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
3.2- 加域失败
Insufficient permissions to join the domain
报错信息如下:
Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
adcli: couldn't connect to streamcomputing.com domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
Insufficient permissions to join the domain
该问题与DNS(反向DNS解析)有关,临时解决方法:
创建/etc/krb5.conf(如果没有),并确保如下配置:
[libdefaults]
default_realm = alphabook.cn
rdns = false
4- realm的几种使用方法
- realm discover -v [ad_name] #发现域
- realm join -v [-U user] realm-name #加入域
- realm list #列出域
- realm permit [-ax] [-R realm] user ... #允许某些域用户或者域组用户登陆
- realm deny --all [-R realm] #不允许域登陆
- realm leave -v [-U user] [realm-name] #退出域